libsmx 0.3.0

Pure-Rust, no_std, constant-time SM2/SM3/SM4/SM9 Chinese cryptography (GB/T 32918/32905/32907/38635)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| 0.3.x   | Yes       |
| 0.2.x   | Yes       |
| 0.1.x   | Yes       |
| < 0.1   | No        |

## Reporting a Vulnerability

If you discover a security vulnerability in libsmx, please report it responsibly:

**Email**: [kintai@foxmail.com](mailto:kintai@foxmail.com)

**Please include**:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Any potential impact assessment

**Response timeline**:

This project is maintained by an individual. No fixed response time is guaranteed. The author will handle all security reports as soon as possible, but cannot commit to specific timelines.

## Scope

The following areas are considered in-scope for security reports:

- **Timing side-channels**: Any operation whose execution time depends on secret data (private keys, plaintext, nonces)
- **Memory safety**: Buffer overflows, use-after-free, or uninitialized memory reads (note: this crate uses `#![forbid(unsafe_code)]`)
- **Key material leakage**: Private keys or intermediate secret values not properly zeroized
- **Cryptographic correctness**: Deviations from GB/T standards that weaken security guarantees
- **Authentication bypass**: Incorrect MAC/tag verification in GCM/CCM modes

## Out of Scope

- Performance issues that don't affect security
- Dependencies' vulnerabilities (report upstream)
- Attacks requiring physical access to the device

## Security Design

libsmx employs the following defenses:

- **Constant-time operations**: All secret-dependent code uses `subtle::ConstantTimeEq`, `ConditionallySelectable`, and fixed-iteration loops
- **No table lookups for S-boxes**: SM4 uses boolean circuit bitslice implementation to prevent cache-timing attacks
- **Automatic key zeroization**: All private key types derive `ZeroizeOnDrop`
- **No unsafe code**: `#![forbid(unsafe_code)]` is enforced at the crate level
- **Complete EC formulas**: SM2 point addition uses branch-free complete addition formulas (Renes-Costello-Batina 2016)

## Disclosure Policy

We follow coordinated disclosure. Please do **not** open public GitHub issues for security vulnerabilities.